EP2567501B1 - Method for cryptographic protection of an application - Google Patents

Method for cryptographic protection of an application Download PDF

Info

Publication number
EP2567501B1
EP2567501B1 EP11728814.2A EP11728814A EP2567501B1 EP 2567501 B1 EP2567501 B1 EP 2567501B1 EP 11728814 A EP11728814 A EP 11728814A EP 2567501 B1 EP2567501 B1 EP 2567501B1
Authority
EP
European Patent Office
Prior art keywords
application
security module
hsm
appl
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Not-in-force
Application number
EP11728814.2A
Other languages
German (de)
French (fr)
Other versions
EP2567501A1 (en
Inventor
Monika Maidl
Stefan Seltzsam
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of EP2567501A1 publication Critical patent/EP2567501A1/en
Application granted granted Critical
Publication of EP2567501B1 publication Critical patent/EP2567501B1/en
Not-in-force legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Definitions

  • the invention relates to a method and a system for the cryptographic protection of an application.
  • Protective measures must therefore be taken with which system administrators are screened by the application on the part of the service provider.
  • One measure of this shield is z.
  • the encryption of critical data which stores the application on appropriate storage means, in particular on hard drives, the data center of the service provider. As a result, unnoticed access by system administrators of the data center to data of the application can be prevented.
  • One problem is the secure storage of cryptographic keys used for encryption.
  • So-called security modules in particular in the form of hardware security modules, are known from the prior art. These allow in a secure environment, especially in the form of a smart card or a security token, the storage of secret keys, whereby access to the stored keys is only possible via an authentication.
  • a so-called PIN is used for authentication, which must be entered by the owner of the security module to access the data stored thereon. If, in the course of outsourcing an application to a data center of an external service provider, a security module is used to store cryptographic keys for encrypting application data, then it proves to be disadvantageous that, in the case of conventional authentication via a PIN, this PIN is entered manually each time the security module is accessed must be entered.
  • the publication US 2003/177401 A1 describes a method in which an application authenticates itself to a security module with a password.
  • the application sends the request for an application key with a password to the security module, which then generates an application key that is bound to the password.
  • the application sends the password and the bound application key to the application module in order to decrypt the key to the verifier. Only if password and bound key match, the application key can be used.
  • the password is provided by a user / administrator.
  • the US 2010/058068 A1 describes a networked system for Internet-based access to bank accounts that allows a user to see his PIN and change the PIN.
  • An application provides the user with a web interface and, on the other hand, has an interface to a security module.
  • the security module does not belong to the user.
  • the object of the invention is therefore an application of an application owner in a data center of an external
  • Service operator to protect against unauthorized access by the service operator via a security module, with an automatic secure access of the application is enabled on data of the security module.
  • the inventive method is used for the cryptographic protection of an application, which is assigned to an application owner and is executed in a data center, which is managed by an external, not to the application owner belonging service operator.
  • application owner is an instance or institution, such. A company, to understand.
  • the application belongs to this instance or institution, in particular the application was also developed by this entity or institution.
  • the term of the data center is to be understood within the meaning of the invention and may include one or more computers at a fixed location or distributed at different locations, via these computers Computing power is provided to perform computational operations.
  • the administration of the data center is again carried out by an entity or institution (in particular a company), which represents the service provider. Because the service provider operates the data center, he also has administrator access to the data center.
  • a security module which belongs to the application owner but which is provided in the data center, ie. which is connected via a corresponding (local) interface (eg USB) to a computer of the computer center.
  • Private (permanent) cryptographic material e.g., private keys
  • the security module is realized in particular as a so-called hardware security module, which is sufficiently known from the prior art.
  • a cryptographic secret is generated by a generation means of the application owner or by the security module.
  • the term of the generation means is to be understood broadly and may include any unit based on software or hardware in a secure computing environment of the application owner.
  • the cryptographic secret is first transmitted via a first secure channel, which protects the communication between the application and a computer means of the application owner, between the computer means and the security module, whereby the cryptographic secret for the computer means and the security module is accessible.
  • a first secure channel can be achieved, for example, via a corresponding encryption with a public key of the security module, as will be described in more detail below.
  • the above-mentioned computer means is any unit in the form of hardware or software in a secure computing environment of the application owner. This unit can communicate with the application via a corresponding interface.
  • the cryptographic secret is transmitted in the context of the inventive method further via a second secure channel, which protects the communication between the application and the computer means of the application owner, from the computer means to the application, whereby the cryptographic secret is accessible to the application.
  • a second secure channel can be established between the application owner and the application.
  • Such a second secure channel can be realized without any problems, since the application belongs to the application owner, so that, suitably, e.g. a common private key can be generated by the application and the application owner to build the second secure channel.
  • the application is authenticated relative to the security module based on the cryptographic secret accessible to the application and the security module, wherein in the case of a successful authentication, the cryptographic material of the application owner can be transferred from the security module to the application via a channel protected by the cryptographic secret ,
  • the inventive method is characterized in that an automated access to a data center running application on cryptographic material of the application owner is made possible without the service operator of the data center has the ability to read the cryptographic material.
  • This is achieved by the use of a security module of the application owner, wherein a cryptographic secret is transmitted via secure channels with the interposition of the application owner, so that this secret of both the application as well as the security module is provided. This secret can then be used to transmit cryptographic material from the security module to the application.
  • the authentication of the application to the security module is such that with the cryptographic secret accessible to the application, information is encrypted by the application and transmitted to the security module, a condition for successful authentication being that the security module can decrypt the information with the cryptographic secret accessible to the security module.
  • a session identity is generated, in particular at the beginning of the method, when the cryptographic secret is transmitted via the first secure channel and / or via the second secure channel and / or as part of the authentication of the application to the security module is transmitted with.
  • it is verified whether the session identity remains unchanged. This can be done, for example, by the entity that generated the session identity at the beginning of the process (eg the application or the security module) checking whether the session identity transmitted to it at a later time matches the originally generated session identity. If this is not the case, the method is preferably terminated.
  • protection of so-called replay attacks is attempted in which attempts are made to introduce secrets used in previous sessions into the procedure.
  • the session identity is further used as the information which is encrypted by the application during its authentication and transmitted to the security module.
  • the cryptographic secrets are generated by the security module and transmitted via the first secure channel to the computer means of the application owner, wherein the first secure channel is formed by encrypting a first message with a first encryption, to which the service operator has no access, and is subsequently transmitted to the computing means of the application owner, the first message containing the cryptographic secret.
  • the encrypted first message is signed with a signature of the security module, so that it can be verified that the first message also comes from the security module.
  • the first encryption takes place with a public key of the application owner or optionally also with a private key which is known only to the application owner or the security module.
  • the encrypted first message transmitted to the computer means of the application owner is decrypted, the decryption preferably taking place by the computer means.
  • the first message is transmitted to the application via the second secure channel, wherein the second secure channel is formed by encrypting the decrypted first message with a second encryption to which the service provider has no access, and sending it to the application ,
  • the cryptographic secret is transmitted to the application via a protected connection, the application having a corresponding key for decrypting the second encryption.
  • the cryptographic secret of the generating means generated by the application owner and transmitted via the first secure channel to the security module, wherein the first secure channel is formed by encrypting a second message via a second encryption, to which the service operator has no access, and then transmitted to the security module, wherein the second message contains the cryptographic secret.
  • the encrypted second message is signed with a signature of the application owner.
  • the second encryption of the second message preferably takes place with a public key of the security module or possibly also with a private key, which is known only to the application owner and the security module.
  • the first secure channel is tunneled through the application. That is, in the context of the first secure channel, a message transmission takes place with the interposition of the application, but the application does not have the opportunity to access this first secure channel or the information transmitted therein.
  • the tunneled first secure channel is formed by first transmitting the encrypted second message together with at least the cryptographic secret to the application via the second secure channel, wherein the application then transmits the received encrypted second message to the security module , In this way, a parallel transmission over both the first and the second secure channel is achieved.
  • the invention further relates to a system for cryptographically protecting an application, the application being associated with an application owner and executable in a data center managed by an external service operator not belonging to the application owner, the system operating in the data center provided security module of the application owner, is deposited on the private cryptographic material of the application owner, and a generating means and a computer means of the application owner.
  • the system is designed in such a way that when carrying out the application in the data center, it carries out the method according to the invention described above or one or more variants of this method.
  • the embodiments of the inventive method described below relate to the cryptographic protection of an application APPL, which belongs to an application owner, who in Fig. 1 and Fig. 2 is indicated by the reference numeral AO.
  • the application owner provides an instance or institution, such. A company to which the application APPL belongs.
  • the application APPL may have been developed by the application owner.
  • the application owner provides his customers with a corresponding service, wherein he does not execute the application for providing the service himself, but instead uses a data center on which the application runs.
  • the data center is thus an external unit which is managed by a service operator not belonging to the application owner AO.
  • a private key in the form of a master key MK is used, with which data generated by the application are suitably encrypted in the corresponding memory in the data center (eg on a hard disk in the data center). It must be ensured that, although the application has access to the master key MK, this is cryptographically protected from access by the service provider.
  • a so-called hardware security module HSM is used in the embodiment described below, which is known per se from the prior art, this security module belongs to the application owner and represents a cryptographically secured environment in which the master -Key MK is deposited.
  • the hardware security module HSM is provided in the data center, i. it is properly connected to a corresponding computer in the data center via a wireless or wired interface, where the cryptographic protection of the hardware security module ensures that the service operator managing the data center has no access to the data stored thereon.
  • the aim of the method according to the invention is now to create an automated access to the master key NK under the control of the application owner AO, so that the application APPL receives the master key for encrypting data, without the service provider of the data center having access to has the master key.
  • secure authentication of the application APPL against the hardware security module HSM is carried out, whereby the authentication is also protected against attackers who have administrator rights in the data center.
  • One constraint is that the authentication of the application to the hardware security module automatically, ie without the intervention of people should be done. Through this Boundary condition ensures that the application can automatically restart immediately after a system crash.
  • the application owner AO is understood to be a correspondingly secure computer environment that is assigned to the application owner. That is, if subsequent steps are performed by the application owner or communicated with the application owner, this means that a corresponding computing means realized by software or hardware, which is part of the secure computing environment, is involved in the method step or the communication. It is further assumed below that during operation of the application there is a secure channel between the application owner AO and the application APPL, via which the application owner AO can exchange messages with the application APPL, so that no third party, not even a system administrator of the application Data Center, read this news.
  • Such a secure channel which corresponds to the second secure channel in the sense of the claims, can easily be implemented between the application owner AO and the application APPL, since the application belongs to the application owner and is therefore known to the application owner. Consequently, a corresponding, known only to the application owner and the application secret can be generated in a suitable manner at the end of the application in the data center, which is then used to establish the secure channel between the application owner and application.
  • the reference symbols APPL and HSM are used within the exchanged messages, then these designate unique identifiers of the application or of the hardware security module, eg. B. a hash code of the application or a serial number of the hardware security module.
  • a message exchange is initialized by the application APPL via a message N1, which is sent by the application APPL to the hardware security module HSM and contains the identifier of the application APPL and the hardware security module HSM.
  • the hardware security module generates a symmetric key "key", which at the end of the procedure represents the shared secret between the application and the hardware security module.
  • This symmetric key is sent via a first secure channel based on the message N2 from the hardware security module HSM to the application owner AO.
  • message N2 is a Message M1 containing the key key, the identifiers of the application APPL and the security module HSM and a session identification SID. This session identification was generated by the HSM.
  • the message M1 is encrypted with the public key K (AO) of the application owner and further signed with the signature sig (HSM) of the hardware security module. Based on this message M2, it is ensured that the generated key key can not be read by the system administrators of the data center because they do not have access to the private key of the application owner for decrypting the message M1. Because the message M2 is signed with sig (HSM), the application owner AO can be sure that the message and thus also the key key originate from the security module HSM.
  • HSM signature sig
  • the application owner AO After receiving the message N2, the application owner AO sends a message N3 to the application via the secure channel established between the application owner AO and the application APPL.
  • the message N3 contains the previously transmitted as part of the message N2 message M1, which is now encrypted via the corresponding key k, which protects the communication between AO and APPL.
  • the secure channel between the application owner AO and the application APPL ensures that only the application APPL can read the key key from the message N3.
  • the application APPL is authenticated to the security module HSM, wherein the authentication takes place based on the message N4, which contains the identifiers of the application APPL and the security module HSM and the session identification SID and with the originally generated in the HSM Key key is encrypted.
  • Authentication is only successful if HSM can decrypt the message with the key originally generated by it.
  • Another security feature is achieved by further that the transmitted session identification SID with the originally generated by the HSM session identification must match. In this way, a protection against so-called replay attacks is ensured, in which already once in the context of a previous authentication transmitted messages are used again.
  • the hardware security module HSM can be sure that messages that are received by the application APPL and encrypted with the key key, really come from the application. According to the variant of Fig. 1 This ensures that the secret key over trusted connections with the interposition of the application owner AO reaches the application APPL, without a system administrator of the data center has the opportunity to access the secret.
  • a secure channel between the APPL application and the HSM security module can be set up using the key key.
  • the master key MK is then transmitted to the application APPL via this channel, which can then encrypt application data with this key.
  • Fig. 2 shows a second variant of the method according to the invention.
  • the shared secret in the form of the key key is not generated by the hardware security module HSM but by the application owner AO.
  • a secure message N1 is first sent to the application owner AO by the application APPL, which wishes to authenticate itself to the hardware security module HSM.
  • This message encrypted via the key k contains a session identification SID, which is now generated by the application APPL, as well as identifiers of the hardware security module HSM and the application APPL.
  • the application owner AO After receiving the message N1, the application owner AO generates the symmetric key key.
  • This key represents the shared secret that authenticates the APPL application to the HSM security module at the end of the procedure. To achieve this authentication, the key key must be securely transmitted to the application APPL and the security module HSM. This will be part of the Fig. 2 achieved by the transmission of the message N2 from the application owner AO to the application APPL and the message N3 from the application APPL to the security module HSM. In contrast to Fig. 1 In this case, no separate secure channel is established between application owner AO and security module HSM. Instead, a secure channel is tunneled between application owner AO and security module HSM via the application APPL.
  • a message M2 is transmitted together with the generated key key, the session identification SID and the identifier of the hardware security module HSM.
  • the message M2 again contains the session identification SID and the key key and the identifier of the application APPL.
  • the message is encrypted with the public key K (HSM) of the security module and further signed with the signature sig (AO) of the application owner.
  • HSM public key K
  • AO signature sig
  • the combination of encrypted and signed message M2 with SID, HSM and key is transmitted via the secure channel between AO and APPL to the application APPL. Then APPL decrypts the message and thus obtains the key key that is held in memory.
  • the application can verify that the message is up-to-date, because it can compare the transmitted session identification with the session identification originally generated by it. Subsequently, the application APPL sends a message N3 to the security module HSM, this message comprising the message M2 contained in the previously received message N2, which is signed with sig (AO) and is encrypted with the public key of the security module HSM, so that it could not be decrypted by the application. In addition, the application APPL encrypts the session identification with the key key and attaches the result to the message N3.
  • the security module HSM can verify via the signature sig (AO) that the application owner AO has generated this message and has also securely transmitted the key to the application APPL. Subsequently, the HSM can decrypt the encrypted session identification via the key key deposited with it, proving that APPL has the shared secret key. Due to the successful decryption then the application APPL is authenticated to the security module HSM, i. the security module HSM can be sure that the key encrypted messages come from APPL. By comparing the session identification SID in the message N3 with the key-encrypted session identification, the security module HSM can also determine that the message N3 is not a replay of an old message.
  • the security module HSM can also determine that the message N3 is not a replay of an old message.
  • a secure channel can then be established between the application APPL and the security module HSM using the shared secret in the form of the key key, whereupon the master key MK can then be transferred from the HSM to the application APPL, so that the application can then encrypt the application data with this master key.
  • a secure authentication of the application APPL at the security module HSM of the application owner AO is made possible without the external Service operator whose data center is running the application, has the ability to access the common secret generated in the context of authentication between application and security module.
  • This is achieved by using a security module assigned to the application owner as well as communication via secure channels with the interposition of the application owner.
  • the access to the master key of the security module can be carried out automatically, without having to manually enter a password from authorized persons of the application owner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Description

Die Erfindung betrifft ein Verfahren und ein System zum kryptographischen Schutz einer Applikation.The invention relates to a method and a system for the cryptographic protection of an application.

Aus dem Stand der Technik ist es bekannt, dass im Rahmen eines so genannten Cloud-Computing durch einen Dienstbetreiber Rechenleistung Dritten zur Verfügung gestellt wird, welche diese Rechenleistung zur Ausführung von Applikationen nutzen. Die Applikationen laufen dabei auf einem Rechenzentrum des Dienstbetreibers, das sich entweder konzentriert an einem Ort befinden kann oder auch zur Erbringung von flexiblen Diensten verteilt zusammengeschaltet sein kann.From the prior art, it is known that as part of a so-called cloud computing by a service provider computing power is made available to third parties, which use this computing power to execute applications. The applications run on a data center of the service provider, which can be located either concentrated in one place or can be interconnected distributed for the provision of flexible services.

Ein Kunde des Dienstbetreibers in der Form eines Applikationseigners, der eine zu ihm gehörige Applikation auf dem Rechenzentrum des Dienstbetreibers laufen lassen möchte, ist daran interessiert, dass der Dienstbetreiber keine Möglichkeit hat, auf die Applikation bzw. durch die Applikation erzeugte Applikationsdaten zugreifen kann. Es müssen somit Schutzmaßnahmen getroffen werden, mit denen System-Administratoren auf Seiten des Dienstbetreibers von der Applikation abgeschirmt werden. Eine Maßnahme dieser Abschirmung ist z. B. die Verschlüsselung von kritischen Daten, welche die Applikation auf entsprechenden Speichermitteln, insbesondere auf Festplatten, des Rechenzentrums des Dienstbetreibers speichert. Dadurch kann ein unbemerkter Zugriff durch System-Administratoren des Rechenzentrums auf Daten der Applikation verhindert werden. Ein Problem ist dabei die sichere Verwahrung der zur Verschlüsselung verwendeten kryptographischen Schlüssel.A customer of the service provider in the form of an application owner who wants to run a belonging to him application on the data center of the service provider, is interested in the fact that the service operator has no way to access the application or generated by the application application data. Protective measures must therefore be taken with which system administrators are screened by the application on the part of the service provider. One measure of this shield is z. As the encryption of critical data, which stores the application on appropriate storage means, in particular on hard drives, the data center of the service provider. As a result, unnoticed access by system administrators of the data center to data of the application can be prevented. One problem is the secure storage of cryptographic keys used for encryption.

Aus dem Stand der Technik sind so genannte Sicherheitsmodule, insbesondere in der Form von Hardware-Sicherheitsmodulen, bekannt. Diese ermöglichen in einer sicheren Umgebung, insbesondere in der Form einer Chipkarte oder eines Security-Tokens, die Speicherung von geheimen Schlüsseln, wobei nur über eine Authentisierung ein Zugriff auf die gespeicherten Schlüssel ermöglicht wird. Üblicherweise wird zur Authentisierung eine so genannte PIN verwendet, welche von dem Besitzer des Sicherheitsmoduls zum Zugriff auf die darauf gespeicherten Daten eingegeben werden muss. Wird im Rahmen einer Auslagerung einer Applikation auf ein Rechenzentrum eines externen Dienstbetreibers ein Sicherheitsmodul zur Speicherung von kryptographischen Schlüsseln zur Verschlüsselung von Applikationsdaten verwendet, so erweist es sich als nachteilhaft, dass bei einer herkömmlichen Authentisierung über eine PIN bei jedem Zugriff auf das Sicherheitsmodul diese PIN manuell eingegeben werden muss.So-called security modules, in particular in the form of hardware security modules, are known from the prior art. These allow in a secure environment, especially in the form of a smart card or a security token, the storage of secret keys, whereby access to the stored keys is only possible via an authentication. Typically, a so-called PIN is used for authentication, which must be entered by the owner of the security module to access the data stored thereon. If, in the course of outsourcing an application to a data center of an external service provider, a security module is used to store cryptographic keys for encrypting application data, then it proves to be disadvantageous that, in the case of conventional authentication via a PIN, this PIN is entered manually each time the security module is accessed must be entered.

Die Druckschrift US 2003/177401 A1 beschreibt ein Verfahren, bei dem eine Applikation sich gegenüber einem Sicherheitsmodul mit einem Passwort authentifiziert. In einer ersten Phase sendet die Applikation die Anforderung für einen Applikationsschlüssel mit einem Passwort an das Sicherheitsmodul, welches daraufhin einen Applikationsschlüssel erzeugt, der an das Passwort gebunden ist. In der zweiten Phase sendet die Applikation das Passwort und den gebundenen Applikationsschlüssel an das Applikationsmodul, um den Schlüssel zum Veroder Entschlüsseln zu nutzen. Nur wenn Passwort und gebundener Schlüssel zusammenpassen, kann der Applikationsschlüssel verwendet werden. Das Passwort wird dabei von einem Nutzer/Administrator bereitgestellt.The publication US 2003/177401 A1 describes a method in which an application authenticates itself to a security module with a password. In a first phase, the application sends the request for an application key with a password to the security module, which then generates an application key that is bound to the password. In the second phase, the application sends the password and the bound application key to the application module in order to decrypt the key to the verifier. Only if password and bound key match, the application key can be used. The password is provided by a user / administrator.

Die US 2010/058068 A1 beschreibt ein vernetztes System zum internetbasierten Zugriff auf Bankkonten, das es einem Nutzer ermöglicht, seine PIN gezeigt zu bekommen und die PIN zu ändern. Dabei stellt eine Applikation dem Nutzer ein Web-Interface zur Verfügung und hat andererseits eine Schnittstelle zu einem Sicherheitsmodul. Das Sicherheitsmodul gehört dabei nicht dem Nutzer.The US 2010/058068 A1 describes a networked system for Internet-based access to bank accounts that allows a user to see his PIN and change the PIN. An application provides the user with a web interface and, on the other hand, has an interface to a security module. The security module does not belong to the user.

Aufgabe der Erfindung ist es deshalb, eine Applikation eines Applikationseigners in einem Rechenzentrum eines externenThe object of the invention is therefore an application of an application owner in a data center of an external

Dienstbetreibers gegenüber unbefugten Zugriffen des Dienstbetreibers über ein Sicherheitsmodul zu schützen, wobei ein automatischer gesicherter Zugriff der Applikation auf Daten des Sicherheitsmoduls ermöglicht wird.Service operator to protect against unauthorized access by the service operator via a security module, with an automatic secure access of the application is enabled on data of the security module.

Diese Aufgabe wird durch das Verfahren gemäß Patentanspruch 1 bzw. das System gemäß Patentanspruch 14 gelöst. Weiterbildungen der Erfindung sind in den abhängigen Ansprüchen definiert.This object is achieved by the method according to claim 1 or the system according to claim 14. Further developments of the invention are defined in the dependent claims.

Das erfindungsgemäße Verfahren dient zum kryptographischen Schutz einer Applikation, welche einem Applikationseigner zugeordnet ist und in einem Rechenzentrum ausgeführt wird, das von einem externen, nicht zum Applikationseigner gehörenden Dienstbetreiber verwaltet wird. Unter Applikationseigner ist dabei eine Instanz bzw. Institution, wie z. B. ein Unternehmen, zu verstehen. Dieser Instanz bzw. Institution gehört die Applikation, insbesondere wurde die Applikation auch von dieser Instanz bzw. Institution entwickelt. Der Begriff des Rechenzentrums ist im Sinne der Erfindung weit zu verstehen und kann eine oder mehrere Rechner an einem festen Ort bzw. verteilt an verschiedenen Orten umfassen, wobei über diese Rechner Rechenleistung zur Ausführung von Rechenvorgängen bereitgestellt wird. Die Verwaltung des Rechenzentrums wird wiederum durch eine Instanz bzw. Institution (insbesondere ein Unternehmen) vorgenommen, welches den Dienstbetreiber darstellt. Da der Dienstbetreiber das Rechenzentrum betreibt, hat er auch Administrator-Zugriffsrechte auf das Rechenzentrum.The inventive method is used for the cryptographic protection of an application, which is assigned to an application owner and is executed in a data center, which is managed by an external, not to the application owner belonging service operator. Under application owner is an instance or institution, such. A company, to understand. The application belongs to this instance or institution, in particular the application was also developed by this entity or institution. The term of the data center is to be understood within the meaning of the invention and may include one or more computers at a fixed location or distributed at different locations, via these computers Computing power is provided to perform computational operations. The administration of the data center is again carried out by an entity or institution (in particular a company), which represents the service provider. Because the service provider operates the data center, he also has administrator access to the data center.

Im Rahmen des erfindungsgemäßen Verfahrens wird ein Sicherheitsmodul verwendet, das zwar dem Applikationseigner gehört, welches jedoch im Rechenzentrum vorgesehen ist, d.h. welches über eine entsprechende (lokale) Schnittstelle (z. B. USB) an einem Rechner des Rechenzentrums angeschlossen ist. Auf diesem Sicherheitsmodul ist privates (permanentes) kryptographisches Material (z.B. private Schlüssel) des Applikationseigners hinterlegt, welches dazu dient, um Applikationsdaten der Applikation geeignet zu verschlüsseln. Das Sicherheitsmodul ist dabei insbesondere als ein so genanntes Hardware-Sicherheitsmodul realisiert, welches hinlänglich aus dem Stand der Technik bekannt ist.In the context of the method according to the invention, a security module is used which belongs to the application owner but which is provided in the data center, ie. which is connected via a corresponding (local) interface (eg USB) to a computer of the computer center. Private (permanent) cryptographic material (e.g., private keys) of the application owner is stored on this security module, which serves to suitably encrypt application data of the application. The security module is realized in particular as a so-called hardware security module, which is sufficiently known from the prior art.

Erfindungsgemäß wird durch ein Generierungsmittel des Applikationseigners oder durch das Sicherheitsmodul ein kryptographisches Geheimnis generiert. Der Begriff des Generierungsmittels ist dabei weit zu verstehen und kann jede, basierend auf Software bzw. Hardware realisierte Einheit in einer sicheren Rechenumgebung des Applikationseigners umfassen. Das kryptographische Geheimnis wird zunächst über einen ersten sicheren Kanal, der die Kommunikation zwischen der Applikation und einem Rechnermittel des Applikationseigners schützt, zwischen dem Rechnermittel und dem Sicherheitsmodul übermittelt, wodurch das kryptographische Geheimnis für das Rechnermittel und das Sicherheitsmodul zugänglich wird. Ein solcher erster sicherer Kanal kann beispielsweise über eine entsprechende Verschlüsselung mit einem öffentlichen Schlüssel des Sicherheitsmoduls erreicht werden, wie weiter unten noch näher beschrieben wird. Analog zu dem Generierungsmittel ist das oben erwähnte Rechnermittel eine beliebige Einheit in der Form von Hardware bzw. Software in einer sicheren Rechnerumgebung des Applikationseigners. Diese Einheit kann übereine entsprechende Schnittstelle mit der Applikation kommunizieren.According to the invention, a cryptographic secret is generated by a generation means of the application owner or by the security module. The term of the generation means is to be understood broadly and may include any unit based on software or hardware in a secure computing environment of the application owner. The cryptographic secret is first transmitted via a first secure channel, which protects the communication between the application and a computer means of the application owner, between the computer means and the security module, whereby the cryptographic secret for the computer means and the security module is accessible. Such a first secure channel can be achieved, for example, via a corresponding encryption with a public key of the security module, as will be described in more detail below. Analogous to the generating means, the above-mentioned computer means is any unit in the form of hardware or software in a secure computing environment of the application owner. This unit can communicate with the application via a corresponding interface.

Das kryptographische Geheimnis wird im Rahmen des erfindungsgemäßen Verfahrens ferner über einen zweiten sicheren Kanal, der die Kommunikation zwischen der Applikation und dem Rechnermittel des Applikationseigners schützt, von dem Rechnermittel an die Applikation übermittelt, wodurch das kryptographische Geheimnis für die Applikation zugänglich wird. Es wird dabei vorausgesetzt, dass ein zweiter sicherer Kanal zwischen Applikationseigner und Applikation aufgebaut werden kann. Ein solcher zweiter sicherer Kanal ist problemlos realisierbar, da die Applikation dem Applikationseigner gehört, so dass in geeigneter Weise z.B. ein gemeinsamer privater Schlüssel von Applikation und Applikationseigner zum Aufbau des zweiten sicheren Kanals generiert werden kann.The cryptographic secret is transmitted in the context of the inventive method further via a second secure channel, which protects the communication between the application and the computer means of the application owner, from the computer means to the application, whereby the cryptographic secret is accessible to the application. It is assumed that a second secure channel can be established between the application owner and the application. Such a second secure channel can be realized without any problems, since the application belongs to the application owner, so that, suitably, e.g. a common private key can be generated by the application and the application owner to build the second secure channel.

Erfindungsgemäß erfolgt schließlich eine Authentisierung der Applikation gegenüber dem Sicherheitsmodul basierend auf dem für die Applikation und das Sicherheitsmodul zugänglichen kryptographischen Geheimnis, wobei im Falle einer erfolgreichen Authentisierung das kryptographische Material des Applikationseigners über einen durch das kryptographische Geheimnis geschützten Kanal von dem Sicherheitsmodul an die Applikation übertragbar ist.Finally, according to the invention, the application is authenticated relative to the security module based on the cryptographic secret accessible to the application and the security module, wherein in the case of a successful authentication, the cryptographic material of the application owner can be transferred from the security module to the application via a channel protected by the cryptographic secret ,

Das erfindungsgemäße Verfahren zeichnet sich dadurch aus, dass automatisiert ein Zugriff einer auf einem Rechenzentrum laufenden Applikation auf kryptographisches Material des Applikationseigners ermöglicht wird, ohne dass der Dienstbetreiber des Rechenzentrums die Möglichkeit hat, das kryptographische Material auszulesen. Dies wird durch die Verwendung eines Sicherheitsmoduls des Applikationseigners erreicht, wobei über sichere Kanäle unter Zwischenschaltung des Applikationseigners ein kryptographisches Geheimnis übermittelt wird, so dass dieses Geheimnis sowohl der Applikation als auch dem Sicherheitsmodul bereitgestellt wird. Dieses Geheimnis kann dann zur Übertragung von kryptographischem Material des Sicherheitsmoduls an die Applikation genutzt werden.The inventive method is characterized in that an automated access to a data center running application on cryptographic material of the application owner is made possible without the service operator of the data center has the ability to read the cryptographic material. This is achieved by the use of a security module of the application owner, wherein a cryptographic secret is transmitted via secure channels with the interposition of the application owner, so that this secret of both the application as well as the security module is provided. This secret can then be used to transmit cryptographic material from the security module to the application.

In einer besonders bevorzugten Ausführungsform des erfindungsgemäßen Verfahrens erfolgt die Authentisierung der Applikation gegenüber dem Sicherheitsmodul derart, dass mit dem für die Applikation zugänglichen kryptographischen Geheimnis eine Information von der Applikation verschlüsselt und an das Sicherheitsmodul übertragen wird, wobei eine Bedingung für eine erfolgreiche Authentisierung darin besteht, dass das Sicherheitsmodul die Information mit dem für das Sicherheitsmodul zugänglichen kryptographischen Geheimnis entschlüsseln kann. Hierdurch wird auf besonders einfache Weise eine Verifikation dahingehend durchgeführt, dass sowohl die Applikation als auch das Sicherheitsmodul das gleiche kryptographische Geheimnis beinhalten.In a particularly preferred embodiment of the method according to the invention, the authentication of the application to the security module is such that with the cryptographic secret accessible to the application, information is encrypted by the application and transmitted to the security module, a condition for successful authentication being that the security module can decrypt the information with the cryptographic secret accessible to the security module. As a result, a verification is carried out in a particularly simple manner to the effect that both the application and the security module contain the same cryptographic secret.

In einer weiteren bevorzugten Ausführungsform des erfindungsgemäßen Verfahrens wird insbesondere zu Beginn des Verfahrens eine Sitzungsidentität generiert, welche bei der Übermittlung des kryptographischen Geheimnisses über den ersten sicheren Kanal und/oder über den zweiten sicheren Kanal und/oder im Rahmen der Authentisierung der Applikation gegenüber dem Sicherheitsmodul mit übertragen wird. Dabei wird im Laufe des Verfahrens verifiziert, ob die Sitzungsidentität unverändert bleibt. Dies kann beispielsweise dadurch erfolgen, dass diejenige Einheit, welche die Sitzungsidentität zu Beginn des Verfahrens erzeugt hat (z. B. die Applikation oder das Sicherheitsmodul), überprüft, ob die zu einem späteren Zeitpunkt an sie übermittelte Sitzungsidentität mit der ursprünglich generierten Sitzungsidentität übereinstimmt. Ist dies nicht der Fall, wird das Verfahren vorzugsweise abgebrochen. Gemäß dieser Variante der Erfindung wird ein Schutz von so genannten Replay-Angriffen erreicht, bei denen versucht wird, in früheren Sitzungen verwendete Geheimnisse in das Verfahren einzuschleusen. In einer bevorzugten Variante wird die Sitzungsidentität ferner als diejenige Information verwendet, welche von der Applikation bei deren Authentisierung verschlüsselt und an das Sicherheitsmodul übertragen wird.In a further preferred embodiment of the method according to the invention, a session identity is generated, in particular at the beginning of the method, when the cryptographic secret is transmitted via the first secure channel and / or via the second secure channel and / or as part of the authentication of the application to the security module is transmitted with. During the process, it is verified whether the session identity remains unchanged. This can be done, for example, by the entity that generated the session identity at the beginning of the process (eg the application or the security module) checking whether the session identity transmitted to it at a later time matches the originally generated session identity. If this is not the case, the method is preferably terminated. According to this variant of the invention, protection of so-called replay attacks is attempted in which attempts are made to introduce secrets used in previous sessions into the procedure. In a preferred variant, the session identity is further used as the information which is encrypted by the application during its authentication and transmitted to the security module.

In einer weiteren Ausführungsform des erfindungsgemäßen Verfahrens wird das kryptographische Geheimnisse von dem Sicherheitsmodul generiert und über den ersten sicheren Kanal an das Rechnermittel des Applikationseigners übertragen, wobei der erste sichere Kanal dadurch gebildet wird, dass eine erste Nachricht mit einer ersten Verschlüsselung verschlüsselt wird, auf welche der Dienstbetreiber keinen Zugriff hat, und anschließend an das Rechenmittel des Applikationseigners übertragen wird, wobei die erste Nachricht das kryptographische Geheimnis enthält. Vorzugsweise ist dabei die verschlüsselte erste Nachricht mit einer Signatur des Sicherheitsmoduls signiert, so dass verifiziert werden kann, dass die erste Nachricht auch von dem Sicherheitsmodul stammt. In einer bevorzugten Variante erfolgt die erste Verschlüsselung mit einem öffentlichen Schlüssel des Applikationseigners oder gegebenenfalls auch mit einem privaten Schlüssel, der nur dem Applikationseigner oder dem Sicherheitsmodul bekannt ist.In a further embodiment of the inventive method, the cryptographic secrets are generated by the security module and transmitted via the first secure channel to the computer means of the application owner, wherein the first secure channel is formed by encrypting a first message with a first encryption, to which the service operator has no access, and is subsequently transmitted to the computing means of the application owner, the first message containing the cryptographic secret. Preferably, the encrypted first message is signed with a signature of the security module, so that it can be verified that the first message also comes from the security module. In a preferred variant, the first encryption takes place with a public key of the application owner or optionally also with a private key which is known only to the application owner or the security module.

In einer weiteren Variante des erfindungsgemäßen Verfahrens wird die an das Rechnermittel des Applikationseigners übertragene verschlüsselte erste Nachricht entschlüsselt, wobei die Entschlüsselung vorzugsweise durch das Rechnermittel erfolgt. Anschließend wird die erste Nachricht über den zweiten sicheren Kanal an die Applikation übertragen, wobei der zweite sichere Kanal dadurch gebildet wird, dass die entschlüsselte erste Nachricht mit einer zweiten Verschlüsselung, auf welche der Dienstbetreiber keinen Zugriff hat, verschlüsselt wird und an die Applikation gesendet wird. Auf diese Weise wird das kryptographische Geheimnis über eine geschützte Verbindung an die Applikation übermittelt, wobei die Applikation über einen entsprechenden Schlüssel zum Entschlüsseln der zweiten Verschlüsselung verfügt.In a further variant of the method according to the invention, the encrypted first message transmitted to the computer means of the application owner is decrypted, the decryption preferably taking place by the computer means. Subsequently, the first message is transmitted to the application via the second secure channel, wherein the second secure channel is formed by encrypting the decrypted first message with a second encryption to which the service provider has no access, and sending it to the application , In this way, the cryptographic secret is transmitted to the application via a protected connection, the application having a corresponding key for decrypting the second encryption.

In einer weiteren Ausgestaltung des erfindungsgemäßen Verfahrens wird das kryptographische Geheimnis von dem Generierungsmittel des Applikationseigners generiert und über den ersten sicheren Kanal an das Sicherheitsmodul übertragen, wobei der erste sichere Kanal dadurch gebildet wird, dass eine zweite Nachricht über eine zweite Verschlüsselung verschlüsselt wird, auf welche der Dienstbetreiber keinen Zugriff hat, und anschließend an das Sicherheitsmodul übertragen wird, wobei die zweite Nachricht das kryptographische Geheimnis enthält. Vorzugsweise ist dabei die verschlüsselte zweite Nachricht mit einer Signatur des Applikationseigners signiert. Ferner erfolgt die zweite Verschlüsselung der zweiten Nachricht vorzugsweise mit einem öffentlichen Schlüssel des Sicherheitsmoduls oder gegebenenfalls auch mit einem privaten Schlüssel, der nur dem Applikationseigner und dem Sicherheitsmodul bekannt ist.In a further embodiment of the method according to the invention, the cryptographic secret of the generating means generated by the application owner and transmitted via the first secure channel to the security module, wherein the first secure channel is formed by encrypting a second message via a second encryption, to which the service operator has no access, and then transmitted to the security module, wherein the second message contains the cryptographic secret. Preferably, the encrypted second message is signed with a signature of the application owner. Furthermore, the second encryption of the second message preferably takes place with a public key of the security module or possibly also with a private key, which is known only to the application owner and the security module.

In einer weiteren, besonders bevorzugten Ausführungsform des erfindungsgemäßen Verfahrens wird der erste sichere Kanal über die Applikation getunnelt. Das heißt, im Rahmen des ersten sicheren Kanals erfolgt eine Nachrichtenübermittlung unter Zwischenschaltung der Applikation, wobei die Applikation jedoch nicht die Möglichkeit hat, auf diesen ersten sicheren Kanal bzw. die darin übermittelten Informationen zuzugreifen. In einer besonders bevorzugten Variante wird der getunnelte erste sichere Kanal dadurch gebildet, dass die verschlüsselte zweite Nachricht zusammen mit zumindest dem kryptographischen Geheimnis zunächst über den zweiten sicheren Kanal an die Applikation übertragen wird, wobei die Applikation anschließend die empfangene verschlüsselte zweite Nachricht an das Sicherheitsmodul überträgt. Auf diese Weise wird eine parallele Übertragung sowohl über den ersten als auch über den zweiten sicheren Kanal erreicht.In a further, particularly preferred embodiment of the method according to the invention, the first secure channel is tunneled through the application. That is, in the context of the first secure channel, a message transmission takes place with the interposition of the application, but the application does not have the opportunity to access this first secure channel or the information transmitted therein. In a particularly preferred variant, the tunneled first secure channel is formed by first transmitting the encrypted second message together with at least the cryptographic secret to the application via the second secure channel, wherein the application then transmits the received encrypted second message to the security module , In this way, a parallel transmission over both the first and the second secure channel is achieved.

Neben dem oben beschriebenen Verfahren betrifft die Erfindung ferner ein System zum kryptographischen Schutz einer Applikation, wobei die Applikation einem Applikationseigner zugeordnet ist und in einem Rechenzentrum ausführbar ist, das von einem externen, nicht zum Applikationseigner gehörenden Dienstbetreiber verwaltet wird, wobei das System ein im Rechenzentrum vorgesehenes Sicherheitsmodul des Applikationseigners umfasst, auf dem privates kryptographisches Material des Applikationseigners hinterlegt ist, sowie ein Generierungsmittel und ein Rechnermittel des Applikationseigners. Das System ist dabei derart ausgestaltet, dass es bei der Durchführung der Applikation in dem Rechenzentrum das oben beschriebene erfindungsgemäße Verfahren bzw. eine oder mehrere Varianten dieses Verfahrens ausführt.In addition to the method described above, the invention further relates to a system for cryptographically protecting an application, the application being associated with an application owner and executable in a data center managed by an external service operator not belonging to the application owner, the system operating in the data center provided security module of the application owner, is deposited on the private cryptographic material of the application owner, and a generating means and a computer means of the application owner. The system is designed in such a way that when carrying out the application in the data center, it carries out the method according to the invention described above or one or more variants of this method.

Ausführungsbeispiele der Erfindung werden nachfolgend anhand der beigefügten Figuren detailliert beschrieben.Embodiments of the invention are described below in detail with reference to the accompanying drawings.

Es zeigen:

Fig. 1
eine schematische Darstellung des Nachrichtenaustausches gemäß einer ersten Ausführungsform des erfindungsgemäßen Verfahrens; und
Fig. 2
eine schematische Darstellung des Nachrichtenaustausches gemäß einer zweiten Ausführungsform des erfindungsgemäßen Verfahrens.
Show it:
Fig. 1
a schematic representation of the message exchange according to a first embodiment of the method according to the invention; and
Fig. 2
a schematic representation of the message exchange according to a second embodiment of the method according to the invention.

Die nachfolgend beschriebenen Ausführungsformen des erfindungsgemäßen Verfahrens betreffen den kryptographischen Schutz einer Applikation APPL, welche zu einem Applikationseigner gehört, der in Fig. 1 und Fig. 2 durch das Bezugszeichen AO angedeutet ist. Der Applikationseigner stellt dabei eine Instanz bzw. Institution, wie z. B. ein Unternehmen, dar, zu dem die Applikation APPL gehört. Beispielsweise kann die Applikation APPL von dem Applikationseigner entwickelt worden sein. Über die Applikation stellt der Applikationseigner seinen Kunden einen entsprechenden Dienst bereit, wobei er die Applikation zur Bereitstellung des Dienstes nicht selbst ausführt, sondern sich hierzu eines Rechenzentrums bedient, auf dem die Applikation läuft. Das Rechenzentrum ist somit eine externe Einheit, welche von einem nicht zum Applikationseigner AO gehörenden Dienstbetreiber verwaltet wird. Es besteht deshalb die Notwendigkeit, die Applikation APPL bzw. entsprechende Applikationsdaten in geeigneter Weise vor einem unbefugten Zugriff des Dienstbetreibers zu schützen. Hierzu wird ein privater Schlüssel in der Form eines Master-Keys MK verwendet, mit dem durch die Applikation erzeugte Daten in dem entsprechenden Speicher im Rechenzentrum (z. B. auf einer Festplatte im Rechenzentrum) geeignet verschlüsselt werden. Dabei ist sicherzustellen, dass zwar die Applikation Zugriff auf den Master-Key MK hat, dieser jedoch vor dem Zugriff des Dienstbetreibers kryptographisch geschützt wird.The embodiments of the inventive method described below relate to the cryptographic protection of an application APPL, which belongs to an application owner, who in Fig. 1 and Fig. 2 is indicated by the reference numeral AO. The application owner provides an instance or institution, such. A company to which the application APPL belongs. For example, the application APPL may have been developed by the application owner. Via the application, the application owner provides his customers with a corresponding service, wherein he does not execute the application for providing the service himself, but instead uses a data center on which the application runs. The data center is thus an external unit which is managed by a service operator not belonging to the application owner AO. There is therefore a need to use the application APPL or appropriate application data in a suitable manner to protect against unauthorized access by the service operator. For this purpose, a private key in the form of a master key MK is used, with which data generated by the application are suitably encrypted in the corresponding memory in the data center (eg on a hard disk in the data center). It must be ensured that, although the application has access to the master key MK, this is cryptographically protected from access by the service provider.

Zur Bereitstellung des Master-Keys MK wird in der nachfolgend beschriebenen Ausführungsform ein so genanntes Hardware-Sicherheitsmodul HSM verwendet, welches an sich aus dem Stand der Technik bekannt ist, wobei dieses Sicherheitsmodul dem Applikationseigner gehört und eine kryptographisch gesicherte Umgebung darstellt, in welcher der Master-Key MK hinterlegt ist. Das Hardware-Sicherheitsmodul HSM ist in dem Rechenzentrum vorgesehen, d.h. es ist mit einem entsprechenden Rechner im Rechenzentrum in geeigneter Weise über eine drahtlose oder drahtgebundene Schnittstelle verbunden, wobei der kryptographische Schutz des Hardware-Sicherheitsmoduls sicherstellt, dass der Dienstbetreiber, der das Rechenzentrum verwaltet, keine Zugriffsmöglichkeit auf die darauf gespeicherten Daten hat.To provide the master key MK, a so-called hardware security module HSM is used in the embodiment described below, which is known per se from the prior art, this security module belongs to the application owner and represents a cryptographically secured environment in which the master -Key MK is deposited. The hardware security module HSM is provided in the data center, i. it is properly connected to a corresponding computer in the data center via a wireless or wired interface, where the cryptographic protection of the hardware security module ensures that the service operator managing the data center has no access to the data stored thereon.

Ziel des erfindungsgemäßen Verfahrens ist es nunmehr, einen automatisierten Zugriff auf den Master-Key NK unter der Kontrolle des Applikationseigners AO zu schaffen, so dass die Applikation APPL den Master-Key zur Verschlüsselung von Daten empfängt, ohne dass der Dienstbetreiber des Rechenzentrums eine Zugriffsmöglichkeit auf den Master-Key hat. Um dies zu erreichen, wird eine gesicherte Authentisierung der Applikation APPL gegenüber dem Hardware-Sicherheitsmodul HSM durchgeführt, wobei die Authentisierung auch gegenüber Angreifern geschützt ist, welche Administratorrechte im Rechenzentrum haben. Eine Randbedingung ist dabei, dass die Authentisierung der Applikation an dem Hardware-Sicherheitsmodul automatisch, d.h. ohne Eingriff von Personen, erfolgen soll. Durch diese Randbedingung wird sichergestellt, dass die Applikation nach einem Systemabsturz automatisch sofort wieder starten kann.The aim of the method according to the invention is now to create an automated access to the master key NK under the control of the application owner AO, so that the application APPL receives the master key for encrypting data, without the service provider of the data center having access to has the master key. In order to achieve this, secure authentication of the application APPL against the hardware security module HSM is carried out, whereby the authentication is also protected against attackers who have administrator rights in the data center. One constraint is that the authentication of the application to the hardware security module automatically, ie without the intervention of people should be done. Through this Boundary condition ensures that the application can automatically restart immediately after a system crash.

Im Folgenden wird unter dem Applikationseigner AO eine entsprechend gesicherte Rechnerumgebung verstanden, die dem Applikationseigner zugeordnet ist. Das heißt, wenn nachfolgende Schritte durch den Applikationseigner durchgeführt werden oder mit dem Applikationseigner kommuniziert wird, bedeutet dies, dass ein entsprechendes Rechnermittel, realisiert durch Software bzw. Hardware, welches Teil der sicheren Rechnerumgebung ist, an dem Verfahrensschritt bzw. der Kommunikation beteiligt ist. Nachfolgend wird ferner vorausgesetzt, dass es im laufenden Betrieb der Applikation einen sicheren Kanal zwischen dem Applikationseigner AO und der Applikation APPL gibt, über den der Applikationseigner AO mit der Applikation APPL Nachrichten austauschen kann, so dass kein Dritter, auch nicht ein System-Administrator des Rechenzentrums, diese Nachrichten lesen kann. Ein solcher sicherer Kanal, der dem zweiten sicheren Kanal im Sinne der Patentansprüche entspricht, ist problemlos zwischen Applikationseigner AO und Applikation APPL realisierbar, da die Applikation dem Applikationseigner gehört und diesem somit bekannt ist. Folglich kann in geeigneter Weise beim Ablauf der Applikation im Rechenzentrum ein entsprechendes, nur dem Applikationseigner und der Applikation bekanntes Geheimnis generiert werden, dass dann zum Aufbau des sicheren Kanals zwischen Applikationseigner und Applikation verwendet wird.In the following, the application owner AO is understood to be a correspondingly secure computer environment that is assigned to the application owner. That is, if subsequent steps are performed by the application owner or communicated with the application owner, this means that a corresponding computing means realized by software or hardware, which is part of the secure computing environment, is involved in the method step or the communication. It is further assumed below that during operation of the application there is a secure channel between the application owner AO and the application APPL, via which the application owner AO can exchange messages with the application APPL, so that no third party, not even a system administrator of the application Data Center, read this news. Such a secure channel, which corresponds to the second secure channel in the sense of the claims, can easily be implemented between the application owner AO and the application APPL, since the application belongs to the application owner and is therefore known to the application owner. Consequently, a corresponding, known only to the application owner and the application secret can be generated in a suitable manner at the end of the application in the data center, which is then used to establish the secure channel between the application owner and application.

Im Folgenden werden anhand von Fig. 1 und Fig. 2 zwei Varianten des erfindungsgemäßen Verfahrens beschrieben, wobei im Rahmen der Verfahren entsprechende Nachrichten N1, N2, N3 und N4 ausgetauscht werden. Dabei bezeichnet die Notation {N}:k eine Verschlüsselung bzw. Signatur einer in den Klammern stehenden Nachricht N mit einem entsprechenden Schlüssel k bzw. einer entsprechenden Signatur k. Ferner werden folgende Bezeichnungen im Rahmen von Fig. 1 und Fig. 2 verwendet:

  • sig(HSM): Signatur des Hardware-Sicherheitsmoduls HSM, mit einem entsprechenden privaten Schlüssel von HSM;
  • sig(AO): Signatur des Applikationseigners AO, mit einem entsprechenden privaten Schlüssel von AO;
  • K(AO): Öffentlicher Schlüssel des Applikationseigners AO;
  • K(HSM) Öffentlicher Schlüssel des Hardware-Sicherheitsmoduls HSM;
  • k: Schlüssel zur Verschlüsselung der Kommunikation zwischen Applikationseigner AO und Applikation APPL;
  • key: gemeinsames Geheimnis zwischen Applikation APPL und Hardware-Sicherheitsmodul HSM, welches im Rahmen der nachfolgend beschriebenen erfindungsgemäßen Varianten generiert und ausgetauscht wird;
  • SID: Session-Identifikation, welche zu Beginn des Verfahrens generiert wird.
The following are based on Fig. 1 and Fig. 2 described two variants of the method according to the invention, wherein in the context of the method corresponding messages N1, N2, N3 and N4 are exchanged. The notation {N}: k denotes an encryption or signature of a message N in the parentheses with a corresponding key k or a corresponding signature k. Furthermore, the following terms are used in the context of Fig. 1 and Fig. 2 used:
  • sig (HSM): Signature of the hardware security module HSM, with a corresponding private key of HSM;
  • sig (AO): signature of the application owner AO, with a corresponding private key of AO;
  • K (AO): Public key of the application owner AO;
  • K (HSM) Public key of the hardware security module HSM;
  • k: key for encryption of communication between application owner AO and application APPL;
  • key: shared secret between the application APPL and the hardware security module HSM, which is generated and exchanged in the context of the inventive variants described below;
  • SID: session identification, which is generated at the beginning of the procedure.

Sofern die Bezugszeichen APPL und HSM innerhalb der ausgetauschten Nachrichten verwendet werden, so bezeichnen diese eindeutige Identifikatoren der Applikation bzw. des Hardware-Sicherheitsmoduls, z. B. einen Hash-Code der Applikation bzw. eine Seriennummer des Hardware-Sicherheitsmoduls.If the reference symbols APPL and HSM are used within the exchanged messages, then these designate unique identifiers of the application or of the hardware security module, eg. B. a hash code of the application or a serial number of the hardware security module.

Im Rahmen der Ausführungsform der Fig. 1 wird ein Nachrichtenaustausch von der Applikation APPL über eine Nachricht N1, initialisiert, welche von der Applikation APPL an das Hardware-Sicherheitsmodul HSM geschickt wird und den Identifikator der Applikation APPL und des Hardware-Sicherheitsmoduls HSM enthält. Anschließend generiert das Hardware-Sicherheitsmodul einen symmetrischen Schlüssel "key", der am Ende des Verfahrens das gemeinsame Geheimnis zwischen Applikation und Hardware-Sicherheitsmodul darstellt. Dieser symmetrische Schlüssel wird über einen ersten sicheren Kanal basierend auf der Nachricht N2 von dem Hardware-Sicherheitsmodul HSM an den Applikationseigner AO gesendet. In der Nachricht N2 ist eine Nachricht M1 enthalten, welche den Schlüssel key, die Identifikatoren der Applikation APPL und des Sicherheitsmoduls HSM sowie eine Session-Identifikation SID enthält. Diese Session-Identifikation wurde von dem HSM erzeugt. Die Nachricht M1 ist dabei mit dem öffentlichen Schlüssel K(AO) des Applikationseigners verschlüsselt und ferner mit der Signatur sig(HSM) des Hardware-Sicherheitsmoduls signiert. Basierend auf dieser Nachricht M2 wird sichergestellt, dass der generierte Schlüssel key nicht von den System-Administratoren des Rechenzentrums gelesen werden kann, denn diese haben keinen Zugriff auf den privaten Schlüssel des Applikationseigners zum Entschlüsseln der Nachricht M1. Dadurch, dass die Nachricht M2 mit sig(HSM) signiert ist, kann sich der Applikationseigner AO sicher sein, dass die Nachricht und damit auch der Schlüssel key von dem Sicherheitsmodul HSM stammen.In the context of the embodiment of Fig. 1 a message exchange is initialized by the application APPL via a message N1, which is sent by the application APPL to the hardware security module HSM and contains the identifier of the application APPL and the hardware security module HSM. Subsequently, the hardware security module generates a symmetric key "key", which at the end of the procedure represents the shared secret between the application and the hardware security module. This symmetric key is sent via a first secure channel based on the message N2 from the hardware security module HSM to the application owner AO. In message N2 is a Message M1 containing the key key, the identifiers of the application APPL and the security module HSM and a session identification SID. This session identification was generated by the HSM. The message M1 is encrypted with the public key K (AO) of the application owner and further signed with the signature sig (HSM) of the hardware security module. Based on this message M2, it is ensured that the generated key key can not be read by the system administrators of the data center because they do not have access to the private key of the application owner for decrypting the message M1. Because the message M2 is signed with sig (HSM), the application owner AO can be sure that the message and thus also the key key originate from the security module HSM.

Nach Empfang der Nachricht N2 sendet der Applikationseigner AO eine Nachricht N3 über den zwischen Applikationseigner AO und Applikation APPL etablierten sicheren Kanal an die Applikation. Die Nachricht N3 enthält dabei die zuvor im Rahmen der Nachricht N2 übermittelte Nachricht M1, welche nunmehr über den entsprechenden Schlüssel k, der die Kommunikation zwischen AO und APPL schützt, verschlüsselt ist. Durch den sicheren Kanal zwischen dem Applikationseigner AO und der Applikation APPL wird sichergestellt, dass nur die Applikation APPL den Schlüssel key aus der Nachricht N3 auslesen kann.After receiving the message N2, the application owner AO sends a message N3 to the application via the secure channel established between the application owner AO and the application APPL. The message N3 contains the previously transmitted as part of the message N2 message M1, which is now encrypted via the corresponding key k, which protects the communication between AO and APPL. The secure channel between the application owner AO and the application APPL ensures that only the application APPL can read the key key from the message N3.

In einem nächsten Schritt erfolgt schließlich die Authentisierung der Applikation APPL gegenüber dem Sicherheitsmodul HSM, wobei die Authentisierung basierend auf der Nachricht N4 erfolgt, welche die Identifikatoren der Applikation APPL und des Sicherheitsmoduls HSM sowie die Session-Identifikation SID enthält und mit dem ursprünglich im HSM generierten Schlüssel key verschlüsselt ist. Die Authentisierung ist dabei nur dann erfolgreich, wenn HSM die Nachricht mit dem ursprünglich von ihm generierten Schlüssel entschlüsseln kann. Ein weiteres Sicherheitsmerkmal wird dadurch erreicht, dass ferner die übermittelte Session-Identifikation SID mit der ursprünglich vom HSM generierten Session-Identifikation übereinstimmen muss. Auf diese Weise wird ein Schutz vor sogenannten Replay-Angriffen gewährleistet, bei denen schon einmal im Rahmen einer früheren Authentisierung übermittelte Nachrichten nochmals verwendet werden.Finally, in a next step, the application APPL is authenticated to the security module HSM, wherein the authentication takes place based on the message N4, which contains the identifiers of the application APPL and the security module HSM and the session identification SID and with the originally generated in the HSM Key key is encrypted. Authentication is only successful if HSM can decrypt the message with the key originally generated by it. Another security feature is achieved by further that the transmitted session identification SID with the originally generated by the HSM session identification must match. In this way, a protection against so-called replay attacks is ensured, in which already once in the context of a previous authentication transmitted messages are used again.

Sollte das Entschlüsseln der Nachricht N4 mit dem Schlüssel key des HSM möglich sein und ferner die Session-Identifikation SID mit der ursprünglichen Session-Identifikation übereinstimmen, ist die Authentisierung erfolgreich. Nun kann sich das Hardware-Sicherheitsmodul HSM sicher sein, dass Nachrichten, die von der Applikation APPL bei ihm empfangen werden und mit dem Schlüssel key verschlüsselt sind, wirklich von der Applikation stammen. Gemäß der Variante der Fig. 1 wird dabei erreicht, dass das Geheimnis key über vertrauenswürdige Verbindungen unter Zwischenschaltung des Applikationseigners AO an die Applikation APPL gelangt, ohne dass ein System-Administrator des Rechenzentrums die Möglichkeit hat, auf das Geheimnis zuzugreifen.If the decrypting of the message N4 with the key key of the HSM be possible and also the session identification SID with the original session identification match, the authentication is successful. Now, the hardware security module HSM can be sure that messages that are received by the application APPL and encrypted with the key key, really come from the application. According to the variant of Fig. 1 This ensures that the secret key over trusted connections with the interposition of the application owner AO reaches the application APPL, without a system administrator of the data center has the opportunity to access the secret.

Nach erfolgreicher Authentisierung kann mit Hilfe des Schlüssels key ein sicherer Kanal zwischen der Applikation APPL und dem Sicherheitsmodul HSM aufgebaut werden. Über diesen Kanal wird dann der Master-Key MK an die Applikation APPL übermittelt werden, welche anschließend Applikationsdaten mit diesem Schlüssel verschlüsseln kann.After successful authentication, a secure channel between the APPL application and the HSM security module can be set up using the key key. The master key MK is then transmitted to the application APPL via this channel, which can then encrypt application data with this key.

Fig. 2 zeigt eine zweite Variante des erfindungsgemäßen Verfahrens. In dieser Variante wird im Unterschied zur Ausführungsform der Fig. 1 das gemeinsame Geheimnis in der Form des Schlüssels key nicht vom Hardware-Sicherheitsmodul HSM, sondern von dem Applikationseigner AO generiert. In einem ersten Schritt wird zunächst von der Applikation APPL, die sich gegenüber dem Hardware-Sicherheitsmodul HSM authentisieren will, eine gesicherte Nachricht N1 an den Applikationseigner AO gesendet. Diese, über den Schlüssel k verschlüsselte Nachricht enthält eine Session-Identifikation SID, welche nunmehr von der Applikation APPL generiert wird, sowie Identifikatoren des Hardware-Sicherheitsmoduls HSM und der Applikation APPL. Fig. 2 shows a second variant of the method according to the invention. In this variant, in contrast to the embodiment of Fig. 1 the shared secret in the form of the key key is not generated by the hardware security module HSM but by the application owner AO. In a first step, a secure message N1 is first sent to the application owner AO by the application APPL, which wishes to authenticate itself to the hardware security module HSM. This message encrypted via the key k contains a session identification SID, which is now generated by the application APPL, as well as identifiers of the hardware security module HSM and the application APPL.

Nach Empfang der Nachricht N1 erzeugt der Applikationseigner AO den symmetrischen Schlüssel key. Dieser Schlüssel stellt das gemeinsame Geheimnis dar, das am Ende des Verfahrens die Applikation APPL gegenüber dem Sicherheitsmodul HSM authentisiert. Um diese Authentisierung zu erreichen, muss der Schlüssel key sicher an die Applikation APPL und das Sicherheitsmodul HSM übertragen werden. Dies wird im Rahmen der Fig. 2 durch die Übermittlung der Nachricht N2 vom Applikationseigner AO an die Applikation APPL sowie der Nachricht N3 von der Applikation APPL an das Sicherheitsmodul HSM erreicht. Im Unterschied zu Fig. 1 wird dabei kein separater sicherer Kanal zwischen Applikationseigner AO und Sicherheitsmodul HSM aufgebaut. Vielmehr wird ein sicherer Kanal zwischen Applikationseigner AO und Sicherheitsmodul HSM über die Applikation APPL getunnelt.After receiving the message N1, the application owner AO generates the symmetric key key. This key represents the shared secret that authenticates the APPL application to the HSM security module at the end of the procedure. To achieve this authentication, the key key must be securely transmitted to the application APPL and the security module HSM. This will be part of the Fig. 2 achieved by the transmission of the message N2 from the application owner AO to the application APPL and the message N3 from the application APPL to the security module HSM. In contrast to Fig. 1 In this case, no separate secure channel is established between application owner AO and security module HSM. Instead, a secure channel is tunneled between application owner AO and security module HSM via the application APPL.

Im Rahmen der soeben erwähnten Nachricht N2 wird eine Nachricht M2 zusammen mit dem generierten Schlüssel key, der Session-Identifikation SID und dem Identifikator des Hardware-Sicherheitsmoduls HSM übermittelt. Die Nachricht M2 enthält dabei nochmals die Session-Identifikation SID und den Schlüssel key sowie den Identifikator der Applikation APPL. Die Nachricht ist dabei mit dem öffentlichen Schlüssel K(HSM) des Sicherheitsmoduls verschlüsselt und ferner mit der Signatur sig(AO) des Applikationseigners signiert. Die Kombination aus verschlüsselter und signierter Nachricht M2 mit SID, HSM und key wird über den sicheren Kanal zwischen AO und APPL an die Applikation APPL übermittelt. Anschließend entschlüsselt APPL die Nachricht und erhält damit den Schlüssel key, der im Arbeitsspeicher gehalten wird. Durch die in der Nachricht enthaltene Session-Identifikation SID kann die Applikation verifizieren, dass die Nachricht aktuell ist, denn sie kann die übermittelte Session-Identifikation mit der ursprünglich von ihr generierten Session-Identifikation vergleichen. Anschließend sendet die Applikation APPL eine Nachricht N3 an das Sicherheitsmodul HSM, wobei diese Nachricht die in der zuvor empfangenen Nachricht N2 enthaltene Nachricht M2 umfasst, die mit sig(AO) signiert ist und mit dem öffentlichen Schlüssel des Sicherheitsmoduls HSM verschlüsselt ist, so dass sie nicht von der Applikation entschlüsselt werden konnte. Darüber hinaus verschlüsselt die Applikation APPL die Session-Identifikation mit dem Schlüssel key und fügt das Ergebnis an die Nachricht N3 an.In the context of the just mentioned message N2, a message M2 is transmitted together with the generated key key, the session identification SID and the identifier of the hardware security module HSM. The message M2 again contains the session identification SID and the key key and the identifier of the application APPL. The message is encrypted with the public key K (HSM) of the security module and further signed with the signature sig (AO) of the application owner. The combination of encrypted and signed message M2 with SID, HSM and key is transmitted via the secure channel between AO and APPL to the application APPL. Then APPL decrypts the message and thus obtains the key key that is held in memory. By means of the session identification SID contained in the message, the application can verify that the message is up-to-date, because it can compare the transmitted session identification with the session identification originally generated by it. Subsequently, the application APPL sends a message N3 to the security module HSM, this message comprising the message M2 contained in the previously received message N2, which is signed with sig (AO) and is encrypted with the public key of the security module HSM, so that it could not be decrypted by the application. In addition, the application APPL encrypts the session identification with the key key and attaches the result to the message N3.

Nach Empfang der Nachricht N3 kann das Sicherheitsmodul HSM über die Signatur sig(AO) verifizieren, dass der Applikationseigner AO diese Nachricht erzeugt hat und den Schlüssel key auch sicher an die Applikation APPL übermittelt hat. Anschließend kann das HSM die verschlüsselte Session-Identifikation über den bei ihm hinterlegten Schlüssel key entschlüsseln, was beweist, dass APPL im Besitz des gemeinsamen Geheimnisses key ist. Aufgrund der erfolgreichen Entschlüsselung ist dann die Applikation APPL gegenüber dem Sicherheitsmodul HSM authentisiert, d.h. das Sicherheitsmodul HSM kann sicher sein, dass die mit dem Schlüssel key verschlüsselten Nachrichten von APPL kommt. Über den Vergleich der Session-Identifikation SID in der Nachricht N3 mit der über key verschlüsselten Session-Identifikation kann das Sicherheitsmodul HSM ferner ermitteln, dass die Nachricht N3 kein Replay einer alten Nachricht ist. Nach der Authentisierung kann dann zwischen der Applikation APPL und dem Sicherheitsmodul HSM ein sicherer Kanal unter Verwendung des gemeinsamen Geheimnisses in der Form des Schlüssels key aufgebaut werden, woraufhin dann der Master-Key MK von dem HSM an die Applikation APPL übertragen werden kann, so dass die Applikation anschließend der Applikationsdaten mit diesem Master-Key verschlüsseln kann.After receiving the message N3, the security module HSM can verify via the signature sig (AO) that the application owner AO has generated this message and has also securely transmitted the key to the application APPL. Subsequently, the HSM can decrypt the encrypted session identification via the key key deposited with it, proving that APPL has the shared secret key. Due to the successful decryption then the application APPL is authenticated to the security module HSM, i. the security module HSM can be sure that the key encrypted messages come from APPL. By comparing the session identification SID in the message N3 with the key-encrypted session identification, the security module HSM can also determine that the message N3 is not a replay of an old message. After the authentication, a secure channel can then be established between the application APPL and the security module HSM using the shared secret in the form of the key key, whereupon the master key MK can then be transferred from the HSM to the application APPL, so that the application can then encrypt the application data with this master key.

Die im Vorangegangenen beschriebene Erfindung weist eine Reihe von Vorteilen auf. Insbesondere wird eine sichere Authentisierung der Applikation APPL beim Sicherheitsmodul HSM des Applikationseigners AO ermöglicht, ohne dass der externe Dienstbetreiber, auf dessen Rechenzentrum die Applikation läuft, die Möglichkeit hat, auf das im Rahmen der Authentisierung erzeugte gemeinsame Geheimnis zwischen Applikation und Sicherheitsmodul zuzugreifen. Dies wird durch die Verwendung eines dem Applikationseigner zugeordneten Sicherheitsmoduls sowie eine Kommunikation über sichere Kanäle unter Zwischenschaltung des Applikationseigners erreicht. Dabei kann der Zugriff auf den Master-Key des Sicherheitsmoduls automatisch erfolgen, ohne dass manuell ein Passwort von berechtigten Personen des Applikationseigners eingegeben werden muss.The invention described above has a number of advantages. In particular, a secure authentication of the application APPL at the security module HSM of the application owner AO is made possible without the external Service operator whose data center is running the application, has the ability to access the common secret generated in the context of authentication between application and security module. This is achieved by using a security module assigned to the application owner as well as communication via secure channels with the interposition of the application owner. In this case, the access to the master key of the security module can be carried out automatically, without having to manually enter a password from authorized persons of the application owner.

Claims (15)

  1. Method for the cryptographic protection of an application (APPL), wherein the application (APPL) is associated with an application owner (AO) and is executed in a data processing centre which is administered by an external service provider not belonging to the application owner (AO), wherein a security module (HSM) of the application owner (AO) is provided in the data processing centre, on which security module (HSM) private cryptographic material (MK) of the application owner (AO) is stored, wherein:
    - a cryptographic secret (key) is generated by a generation means of the application owner (AO) or by the security module (HSM);
    - the cryptographic secret (key) is transmitted between a computer means of the application owner (AO) and the security module (HSM) via a first secure channel which protects the communication between the application (APPL) and the computer means, as a result of which the cryptographic secret (key) is made accessible to the computer means and the security module (HSM);
    - the cryptographic secret (key) is transmitted from the computer means of the application owner (AO) to the application (APPL) via a second secure channel which protects the communication between the application (APPL) and the computer means, as a result of which the cryptographic secret (key) is made accessible to the application (APPL);
    - an authentication of the application (APPL) to the security module (HSM) is carried out based on the cryptographic secret (key) that is accessible to the application (APPL) and the security module (HSM), wherein following successful authentication the cryptographic material (MK) of the application owner (AO) can be transmitted from the security module (HSM) to the application (APPL) via a channel protected by the cryptographic secret (key).
  2. Method according to claim 1, wherein the authentication of the application (APPL) is accomplished in such a way that information is encrypted by the application (APPL) using the cryptographic secret (key) that is accessible to the application (APPL) and is transmitted to the security module (HSM), a condition for a successful authentication being that the security module (HSM) can decrypt the information using the cryptographic secret (key) that is accessible to the security module (HSM).
  3. Method according to claim 1 or 2, wherein a session identity (SID) is generated which is transmitted in addition at the time of the transmission of the cryptographic secret (key) via the first secure channel and/or via the second secure channel and/or as part of the authentication of the application (APPL), it being verified in the course of the method whether the session identity (SID) remains unchanged.
  4. Method according to claim 2 and 3, wherein the session identity (SID) is the information which is encrypted by the application (APPL) during its authentication and transmitted to the security module (HSM).
  5. Method according to one of the preceding claims, wherein the cryptographic secret (key) is generated by the security module (HSM) and transmitted to the computer means of the application owner (AO) via the first secure channel, the first secure channel being formed in that a first message (M1) is encrypted by means of a first encryption to which the service provider has no access and is then transmitted to the computer means of the application owner (AO), the first message (M1) containing the cryptographic secret (key).
  6. Method according to claim 5, wherein the encrypted first message (M1) is signed with a signature (sig(HSM)) of the security module (HSM).
  7. Method according to claim 5 or 6, wherein the first encryption is carried out using a public key (K(AO)) of the application owner (AO) or using a private key which is known only to the application owner (AO) and to the security module (HSM).
  8. Method according to one of claims 5 to 7, wherein the encrypted first message (M1) transmitted to the computer means of the application owner (AO) is decrypted and subsequently transmitted to the application (APPL) via the second secure channel, the second secure channel being formed in that the decrypted first message (M1) is encrypted by means of a second encryption to which the service provider has no access and is then sent to the application (APPL).
  9. Method according to one of the preceding claims, wherein the cryptographic secret (key) is generated by the generation means of the application owner (AO) and transmitted to the security module (HSM) via the first secure channel, the first secure channel being formed in that a second message (M2) is encrypted by means of a second encryption to which the service provider has no access and is then sent to the security module (HSM), the second message (M2) containing the cryptographic secret (key).
  10. Method according to claim 9, wherein the encrypted second message (M2) is signed with a signature of the application owner (sig(AO)).
  11. Method according to claim 9 or 10, wherein the second encryption of the second message (M2) is carried out using a public key (K(HSM)) of the security module (HSM) or using a private key which is known only to the application owner (AO) and to the security module (HSM).
  12. Method according to one of the preceding claims, wherein the first secure channel is tunnelled by way of the application (APPL).
  13. Method according to claim 12 in combination with one of claims 9 to 11, wherein the first secure channel is formed in that the encrypted second message (M2) is transmitted to the application (APPL) initially via the second secure channel together with at least the cryptographic secret (key), the application (APPL) thereupon transmitting the received encrypted second message (M2) to the security module.
  14. System for the cryptographic protection of an application (APPL), wherein the application (APPL) is associated with an application owner (AO) and can be executed in a data processing centre which is administered by an external service provider not belonging to the application owner (AO), wherein the system includes a security module (HSM) of the application owner (AO), which security module (HSM) is provided in the data processing centre and on which private cryptographic material (MK) of the application owner (AO) is stored, as well as a generation means and a computer means of the application owner, wherein the system is embodied in such a way that it performs the following steps when the application (APPL) is executed in the data processing centre:
    - a cryptographic secret (key) is generated by the generation means of the application owner (AO) or by the security module (HSM);
    - the cryptographic secret (key) is transmitted between a computer means of the application owner (AO) and the security module (HSM) via a first secure channel which protects the communication between the application (APPL) and the computer means, as a result of which the cryptographic secret (key) is made accessible to the computer means and the security module (HSM);
    - the cryptographic secret (key) is transmitted from the computer means of the application owner (AO) to the application (APPL) via a second secure channel which protects the communication between the application (APPL) and the computer means, as a result of which the cryptographic secret (key) is made accessible to the application (APPL);
    - an authentication of the application (APPL) to the security module (HSM) is carried out based on the cryptographic secret (key) which is accessible to the application (APPL) and the security module (HSM), wherein following successful authentication the cryptographic material (MK) of the application owner (AO) can be transmitted from the security module (HSM) to the application (APPL) via a channel protected by the cryptographic secret (key).
  15. System according to claim 14, which is embodied in such a way that a method as claimed in one of claims 2 to 13 can be performed by the system.
EP11728814.2A 2010-07-19 2011-06-22 Method for cryptographic protection of an application Not-in-force EP2567501B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102010027586A DE102010027586B4 (en) 2010-07-19 2010-07-19 Method for the cryptographic protection of an application
PCT/EP2011/060487 WO2012010380A1 (en) 2010-07-19 2011-06-22 Method for the cryptographic protection of an application

Publications (2)

Publication Number Publication Date
EP2567501A1 EP2567501A1 (en) 2013-03-13
EP2567501B1 true EP2567501B1 (en) 2014-08-13

Family

ID=44627772

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11728814.2A Not-in-force EP2567501B1 (en) 2010-07-19 2011-06-22 Method for cryptographic protection of an application

Country Status (5)

Country Link
US (1) US9215070B2 (en)
EP (1) EP2567501B1 (en)
CN (1) CN102986161B (en)
DE (1) DE102010027586B4 (en)
WO (1) WO2012010380A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102010027586B4 (en) 2010-07-19 2012-07-05 Siemens Aktiengesellschaft Method for the cryptographic protection of an application
US9135460B2 (en) * 2011-12-22 2015-09-15 Microsoft Technology Licensing, Llc Techniques to store secret information for global data centers
EP3036680B1 (en) * 2013-08-21 2018-07-18 Intel Corporation Processing data privately in the cloud
US10103872B2 (en) * 2014-09-26 2018-10-16 Intel Corporation Securing audio communications
CN104468096B (en) * 2014-12-01 2018-01-05 公安部第三研究所 Based on key disperse computing realize network electronic identification information protection method
FR3030821B1 (en) * 2014-12-22 2017-01-13 Oberthur Technologies METHOD OF AUTHENTICATING AN APPLICATION, ELECTRONIC APPARATUS AND COMPUTER PROGRAM THEREOF
DE102017204985A1 (en) * 2017-03-24 2018-09-27 Hytera Mobilfunk Gmbh Decryption device and use and operation of the decryption device with a measuring device
EP3627755A1 (en) * 2018-09-18 2020-03-25 Siemens Aktiengesellschaft Method for secure communication in a communication network having a plurality of units with different security levels
US11128609B1 (en) * 2018-12-13 2021-09-21 Secure Channels, Inc. System and method to improve user authentication for enhanced security of cryptographically protected communication sessions
DE102019003904A1 (en) * 2019-06-03 2020-12-03 Daimler Ag System for generating cryptographic material

Family Cites Families (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19925910B4 (en) 1999-06-07 2005-04-28 Siemens Ag Method for processing or processing data
US20030177401A1 (en) * 2002-03-14 2003-09-18 International Business Machines Corporation System and method for using a unique identifier for encryption key derivation
US7380125B2 (en) 2003-05-22 2008-05-27 International Business Machines Corporation Smart card data transaction system and methods for providing high levels of storage and transmission security
US7568098B2 (en) * 2003-12-02 2009-07-28 Microsoft Corporation Systems and methods for enhancing security of communication over a public network
US8139770B2 (en) * 2003-12-23 2012-03-20 Wells Fargo Bank, N.A. Cryptographic key backup and escrow system
EP1761904A1 (en) 2004-05-28 2007-03-14 International Business Machines Corporation Smart card data transaction system and methods for providing storage and transmission security
US20060093149A1 (en) * 2004-10-30 2006-05-04 Shera International Ltd. Certified deployment of applications on terminals
KR101383738B1 (en) * 2005-02-15 2014-04-08 톰슨 라이센싱 Key management system for digital cinema
US7822982B2 (en) * 2005-06-16 2010-10-26 Hewlett-Packard Development Company, L.P. Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment
US20060294580A1 (en) * 2005-06-28 2006-12-28 Yeh Frank Jr Administration of access to computer resources on a network
JP4698323B2 (en) * 2005-08-02 2011-06-08 フェリカネットワークス株式会社 Information processing apparatus and method, and program
DE102005061686A1 (en) * 2005-12-21 2007-06-28 Francotyp-Postalia Gmbh Method and arrangement for providing security-relevant services by a security module of a franking machine
US8522014B2 (en) * 2006-03-15 2013-08-27 Actividentity Method and system for storing a key in a remote security module
US9002018B2 (en) * 2006-05-09 2015-04-07 Sync Up Technologies Corporation Encryption key exchange system and method
US20120129452A1 (en) * 2006-09-24 2012-05-24 Rfcyber Corp. Method and apparatus for provisioning applications in mobile devices
SG147345A1 (en) * 2007-05-03 2008-11-28 Ezypay Pte Ltd System and method for secured data transfer over a network from a mobile device
CN101399665B (en) 2007-09-24 2011-07-13 上海贝尔阿尔卡特股份有限公司 Service authentication method and system by using cipher system based on identity as fundation
US8219826B2 (en) * 2008-09-04 2012-07-10 Total System Services, Inc. Secure pin character retrieval and setting
US20110085667A1 (en) * 2009-10-09 2011-04-14 Adgregate Markets, Inc. Various methods and apparatuses for securing an application container
US8527758B2 (en) * 2009-12-09 2013-09-03 Ebay Inc. Systems and methods for facilitating user identity verification over a network
US9461996B2 (en) * 2010-05-07 2016-10-04 Citrix Systems, Inc. Systems and methods for providing a single click access to enterprise, SAAS and cloud hosted application
DE102010027586B4 (en) 2010-07-19 2012-07-05 Siemens Aktiengesellschaft Method for the cryptographic protection of an application
US20120179909A1 (en) * 2011-01-06 2012-07-12 Pitney Bowes Inc. Systems and methods for providing individual electronic document secure storage, retrieval and use
US9172539B2 (en) * 2011-09-14 2015-10-27 Mastercard International Incorporated In-market personalization of payment devices
US20140031024A1 (en) * 2012-02-05 2014-01-30 Rfcyber Corporation Method and system for providing controllable trusted service manager
US8949594B2 (en) * 2013-03-12 2015-02-03 Silver Spring Networks, Inc. System and method for enabling a scalable public-key infrastructure on a smart grid network

Also Published As

Publication number Publication date
DE102010027586A1 (en) 2012-01-19
EP2567501A1 (en) 2013-03-13
US20130124860A1 (en) 2013-05-16
DE102010027586B4 (en) 2012-07-05
US9215070B2 (en) 2015-12-15
WO2012010380A1 (en) 2012-01-26
CN102986161B (en) 2015-09-09
CN102986161A (en) 2013-03-20

Similar Documents

Publication Publication Date Title
EP2567501B1 (en) Method for cryptographic protection of an application
DE60314060T2 (en) Method and device for key management for secure data transmission
EP3474172B1 (en) Access control using a blockchain
EP2749003B1 (en) Method for authenticating a telecommunication terminal comprising an identity module on a server device in a telecommunication network, use of an identity module, identity module and computer program
DE102016224537B4 (en) Master Block Chain
EP2765752B1 (en) Method for equipping a mobile terminal with an authentication certificate
WO2016008659A1 (en) Method and a device for securing access to wallets in which cryptocurrencies are stored
EP1872512A1 (en) Method for key administration for cryptography modules
EP1777907A1 (en) Method and devices for carrying out cryptographic operations in a client-server network
DE102020205993B3 (en) Concept for the exchange of cryptographic key information
AT504634B1 (en) METHOD FOR TRANSFERRING ENCRYPTED MESSAGES
EP3248324B1 (en) Decentralised operating on a produkt using centrally stored ecrypted data
DE102016215520A1 (en) Method and arrangement for secure electronic data communication
DE102018102608A1 (en) Method for user management of a field device
DE102018005284A1 (en) Chip personalization of an embedded system by a third party
DE102019109341B4 (en) Procedure for the secure exchange of encrypted messages
EP2383672B1 (en) One-time-password generator
EP4270863B1 (en) Secure reconstruction of private keys
DE102022000857B3 (en) Procedure for the secure identification of a person by a verification authority
DE102022002973B3 (en) Procedure for encrypted transmission of data
DE102022124552A1 (en) Method for secure communication between a transmitter and a receiver in a motor vehicle and communication system
WO2021228797A1 (en) Concept for interchanging encrypted data
EP4255004A1 (en) Method and system for onboarding for an iot device
DE102009040615A1 (en) A method of digital rights management in a computer network having a plurality of subscriber computers
DE4420967A1 (en) Decryption device for digital information and method for performing the encryption and decryption thereof

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121119

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/62 20130101ALI20131203BHEP

Ipc: H04L 9/32 20060101ALI20131203BHEP

Ipc: H04L 29/06 20060101ALI20131203BHEP

Ipc: H04L 9/08 20060101AFI20131203BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20140129

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: AT

Ref legal event code: REF

Ref document number: 682768

Country of ref document: AT

Kind code of ref document: T

Effective date: 20140815

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502011004050

Country of ref document: DE

Effective date: 20140925

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20140813

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20141113

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20141114

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20141215

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20141113

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20141213

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502011004050

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 5

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20150515

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20150608

Year of fee payment: 5

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20150610

Year of fee payment: 5

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20150821

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150622

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150622

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150630

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 502011004050

Country of ref document: DE

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20160622

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20170228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20170103

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160622

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20110622

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150630

REG Reference to a national code

Ref country code: AT

Ref legal event code: MM01

Ref document number: 682768

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160622

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160622

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20140813